403 on wireguard is quite odd, there is no path in the code that could return that status code. can you provide the complete output of fly doctor with the LOG_LEVEL=debug env variable added?
note that “suspended” is an informative and not administrative app state, it just means there are no machines running.
it does not. flyctl is probably doing something wrong here. can you try fly auth docker and pushing the image manually with docker cli, and then fly deploy --image <the image you just pushed>?